The Ping: Breaking Down Compliance

Criminal Justice Information Services (CJIS)

Criminal Justice Information Services, or CJIS, is a division of the FBI that provides criminal justice information needed to perform law enforcement duties. It “serve[s] as the focal point and central repository for criminal justice information services in the FBI.” – FBI. In Texas this information is disseminated via the DPS and includes details such as vehicle registration, criminal history, driver’s license, license plate, firearm, etc. Because this information is highly sensitive and needs to be protected, CJIS provides security compliance requirements and performs audits to ensure these requirements are being met. Below are just a few example requirements of the Security Policy…

  • Security Awareness Training
  • Perimeter Intrusion Detection
  • Advanced Authentication
  • Maintain Log History
  • Change Management
  • Device Encryption

Failing a single audit flags an agency as non-compliant. If compliance is not achieved, the agency can lose access to the information and tools needed to perform their duties.

Payment Card Industry (PCI)

Any person or company that handles a credit card or credit card number needs to be aware of PCI compliance. Furthermore, businesses that process credit cards need to achieve PCI compliance in an official capacity. “The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. … The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. … They share equally in governance and execution of the Council’s work. … The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. … It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs. … Note that enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council.” – PCI Security Standards website

PCI compliance requirements include many of the same criteria as CJIS and more. Determining who owns responsibility for protecting sensitive credit card data can be confusing as it depends on your methods, software, hardware, and practices. However, you are ultimately responsible for figuring that out and making sure compliance is being met.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC, or Federal Financial Institutions Examination Council, covers a myriad of banking regulators, including the FDIC and the NCUA. Financial institutions must comply with the “Guidelines Establishing Standards for Safeguarding Customer Information” (guidelines) as issued pursuant to the Gramm-Leach-Bliley Act (GLBA). The guidelines were published in the Federal Register on February 1, 2001, and were effective on July 1, 2001.

The guideline requirements include physically and procedurally securing customer information. The guidelines also require a plan for how to handle and report any type of breach. This is a law, not a recommendation; not complying can result in fines and other legal ramifications.

Healthcare Insurance Portability and Accountability Act (HIPAA)

“To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.” – HHS.gov

Names or part of namesAny other unique identifying characteristic
Geographical identifiersDates directly related to an individual
Phone numbersFax numbers
Email addressesSocial Security numbers
Medical record numbersHealth insurance beneficiary numbers
Account numbersCertificate or license numbers
Vehicle license plate numbersDevice identifiers and serial numbers
Web URLsIP addresses
Fingerprints, retinal and voice printsFull face or any comparable photographic images

The U.S. Department of Health & Human Services (HHS) may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. These are criminal penalties. Any person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA will face a fine of $50,000 and up to one-year imprisonment.

Your UniVista Team
*Celebrating 20 Years of Customer Satisfaction*